diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/haproxy.pp | 17 | ||||
-rw-r--r-- | manifests/haproxy/endpoint.pp | 13 | ||||
-rw-r--r-- | manifests/profile/base/database/redis.pp | 2 | ||||
-rw-r--r-- | manifests/profile/base/gnocchi/api.pp | 24 | ||||
-rw-r--r-- | manifests/profile/base/pacemaker.pp | 8 | ||||
-rw-r--r-- | manifests/profile/base/pacemaker_remote.pp | 7 | ||||
-rw-r--r-- | manifests/profile/pacemaker/ovn_northd.pp | 36 |
7 files changed, 41 insertions, 66 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 208f328..6b305cb 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -780,7 +780,7 @@ class tripleo::haproxy ( 'cookie' => 'SERVERID insert indirect nocache', 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", + 'redirect' => 'scheme https code 301 if !{ ssl_fc }', 'option' => [ 'forwardfor', 'httpchk' ], 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', @@ -902,17 +902,8 @@ class tripleo::haproxy ( } if $keystone_public { - if $service_certificate { - $keystone_public_tls_listen_opts = { - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', - # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', - } - } else { - $keystone_public_tls_listen_opts = { - 'option' => [ 'httpchk GET /v3', ], - } + $keystone_listen_opts = { + 'option' => [ 'httpchk GET /v3', ], } ::tripleo::haproxy::endpoint { 'keystone_public': public_virtual_ip => $public_virtual_ip, @@ -921,7 +912,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts), + listen_options => merge($default_listen_options, $keystone_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, member_options => union($haproxy_member_options, $internal_tls_member_options), diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 16e0bd1..f1e80e8 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -108,9 +108,20 @@ define tripleo::haproxy::endpoint ( # service exposed to the public network if $public_certificate { + if $mode == 'http' { + $tls_listen_options = { + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", + 'option' => 'forwardfor', + } + $listen_options_real = merge($tls_listen_options, $listen_options) + } else { + $listen_options_real = $listen_options + } $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) } else { + $listen_options_real = $listen_options $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param) } } else { @@ -138,7 +149,7 @@ define tripleo::haproxy::endpoint ( bind => $bind_opts, collect_exported => false, mode => $mode, - options => $listen_options, + options => $listen_options_real, } haproxy::balancermember { "${name}": listening_service => $name, diff --git a/manifests/profile/base/database/redis.pp b/manifests/profile/base/database/redis.pp index 830ffc6..e357359 100644 --- a/manifests/profile/base/database/redis.pp +++ b/manifests/profile/base/database/redis.pp @@ -37,7 +37,7 @@ class tripleo::profile::base::database::redis ( $step = Integer(hiera('step')), ) { if $step >= 2 { - if $bootstrap_nodeid == $::hostname { + if downcase($bootstrap_nodeid) == $::hostname { $slaveof = undef } else { $slaveof = "${bootstrap_nodeid} 6379" diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 4572397..3953f04 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -89,12 +89,11 @@ class tripleo::profile::base::gnocchi::api ( $tls_keyfile = undef } - if $step >= 3 and $sync_db { + if $step >= 4 and $sync_db { include ::gnocchi::db::sync } - if $step >= 3 { - include ::gnocchi::api + if $step >= 4 or ($step >= 3 and $sync_db) { include ::apache::mod::ssl class { '::gnocchi::wsgi::apache': ssl_cert => $tls_certfile, @@ -107,19 +106,20 @@ class tripleo::profile::base::gnocchi::api ( coordination_url => join(['redis://:', $gnocchi_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']), } case $gnocchi_backend { - 'swift': { include ::gnocchi::storage::swift } + 'swift': { + include ::gnocchi::storage::swift + if $sync_db { + include ::swift::deps + # Ensure we have swift proxy available before running gnocchi-upgrade + # as storage is initialized at this point. + Anchor<| title == 'swift::service::end' |> ~> Class['Gnocchi::db::sync'] + } + } 'file': { include ::gnocchi::storage::file } 'rbd': { include ::gnocchi::storage::ceph } default: { fail('Unrecognized gnocchi_backend parameter.') } } + include ::gnocchi::api } - # Re-run gnochci upgrade with storage as swift/ceph should be up at this - # stage. - if $step >= 5 and $sync_db { - exec {'run gnocchi upgrade with storage': - command => 'gnocchi-upgrade --config-file=/etc/gnocchi/gnocchi.conf', - path => ['/usr/bin', '/usr/sbin'], - } - } } diff --git a/manifests/profile/base/pacemaker.pp b/manifests/profile/base/pacemaker.pp index 264723b..bc15e62 100644 --- a/manifests/profile/base/pacemaker.pp +++ b/manifests/profile/base/pacemaker.pp @@ -111,9 +111,11 @@ class tripleo::profile::base::pacemaker ( cluster_setup_extras => $cluster_setup_extras, remote_authkey => $remote_authkey, } - class { '::pacemaker::stonith': - disable => !$enable_fencing, - tries => $pcs_tries, + if $pacemaker_master { + class { '::pacemaker::stonith': + disable => !$enable_fencing, + tries => $pcs_tries, + } } if $enable_fencing { include ::tripleo::fencing diff --git a/manifests/profile/base/pacemaker_remote.pp b/manifests/profile/base/pacemaker_remote.pp index 6b96713..f4265ff 100644 --- a/manifests/profile/base/pacemaker_remote.pp +++ b/manifests/profile/base/pacemaker_remote.pp @@ -46,11 +46,6 @@ class tripleo::profile::base::pacemaker_remote ( } $enable_fencing_real = str2bool($enable_fencing) and $step >= 5 - class { '::pacemaker::stonith': - disable => !$enable_fencing_real, - tries => $pcs_tries, - } - if $enable_fencing_real { include ::tripleo::fencing @@ -58,7 +53,5 @@ class tripleo::profile::base::pacemaker_remote ( Pcmk_resource<||> -> Class['tripleo::fencing'] Pcmk_constraint<||> -> Class['tripleo::fencing'] Exec <| tag == 'pacemaker_constraint' |> -> Class['tripleo::fencing'] - # enable stonith after all fencing devices have been created - Class['tripleo::fencing'] -> Class['pacemaker::stonith'] } } diff --git a/manifests/profile/pacemaker/ovn_northd.pp b/manifests/profile/pacemaker/ovn_northd.pp index fcf14ff..212c345 100644 --- a/manifests/profile/pacemaker/ovn_northd.pp +++ b/manifests/profile/pacemaker/ovn_northd.pp @@ -32,7 +32,8 @@ # Defaults to hiera('pcs_tries', 20) # # [*ovn_dbs_vip*] -# (Optional) The OVN database virtual IP to be managed by the pacemaker. +# (Optional) The vip to be used for OVN DB servers. It is expected that +# the vip resource to be created before calling this class. # Defaults to hiera('ovn_dbs_vip') # # [*nb_db_port*] @@ -67,21 +68,9 @@ class tripleo::profile::pacemaker::ovn_northd ( $ovndb_servers_ocf_name = 'ovn:ovndb-servers' $ovndb_vip_resource_name = "ip-${ovn_dbs_vip}" - if is_ipv6_address($ovn_dbs_vip) { - $netmask = '128' - $nic = interface_for_ip($ovn_dbs_vip) - } else { - $netmask = '32' - $nic = '' - } - - pacemaker::resource::ip { "${ovndb_vip_resource_name}": - ip_address => $ovn_dbs_vip, - cidr_netmask => $netmask, - nic => $nic, - tries => $pcs_tries, - } - + # By step 3, all the VIPs would have been created. + # After creating ovn ocf resource, colocate it with the + # VIP - ip-${ovn_dbs_vip}. pacemaker::resource::ocf { "${ovndb_servers_resource_name}": ocf_agent_name => "${ovndb_servers_ocf_name}", master_params => '', @@ -96,15 +85,6 @@ class tripleo::profile::pacemaker::ovn_northd ( meta_params => 'notify=true' } - pacemaker::constraint::order { "${ovndb_vip_resource_name}-then-${ovndb_servers_resource_name}": - first_resource => "${ovndb_vip_resource_name}", - second_resource => "${ovndb_servers_resource_name}-master", - first_action => 'start', - second_action => 'start', - constraint_params => 'kind=Mandatory', - tries => $pcs_tries, - } - pacemaker::constraint::colocation { "${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}": source => "${ovndb_vip_resource_name}", target => "${ovndb_servers_resource_name}-master", @@ -113,9 +93,7 @@ class tripleo::profile::pacemaker::ovn_northd ( tries => $pcs_tries, } - Pacemaker::Resource::Ip["${ovndb_vip_resource_name}"] -> - Pacemaker::Resource::Ocf["${ovndb_servers_resource_name}"] -> - Pacemaker::Constraint::Order["${ovndb_vip_resource_name}-then-${ovndb_servers_resource_name}"] -> - Pacemaker::Constraint::Colocation["${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}"] + Pacemaker::Resource::Ocf["${ovndb_servers_resource_name}"] -> + Pacemaker::Constraint::Colocation["${ovndb_vip_resource_name}-with-${ovndb_servers_resource_name}"] } } |